KERI Identity Stack — selfdriven.consulting

Why cryptographic identity?

The core problem with AI-agent consulting is trust: how do you know who authorised the agent? How do you know an agent's findings haven't been tampered with? How do you know the human claiming accountability actually has it?

KERI (Key Event Receipt Infrastructure) and ACDC (Authentic Chained Data Containers) solve this at the infrastructure level — not through policy or contractual promises, but through cryptographic proof that can be independently verified.

Self-sovereign, not federated

Traditional identity systems — OAuth, SAML, Active Directory — require a central authority to vouch for identities. If that authority fails, is breached, or becomes adversarial, the system collapses. KERI identifiers are self-certifying: the proof of identity is in the key events themselves, not in any registry or authority.

This means every conductor and agent identity in a selfdriven engagement is verifiable by anyone, at any time, without asking permission of any central party.

Core Concepts

The building blocks of cryptographic trust

Eight concepts underpin the KERI/ACDC stack. You don't need to understand all of them to benefit — but knowing what they are makes the trust model concrete.

AID

Autonomous Identifier

A self-certifying identifier derived directly from a cryptographic key pair. No registry, no certificate authority — the identifier proves itself. Every conductor, agent, and engagement has a unique AID.

KEL

Key Event Log

An append-only, ordered record of every key event associated with an AID — inception, rotation, interaction. The KEL is the source of truth for an identifier's history. Tamper-evident by design.

icp

Inception Event

The first event in a KEL — establishing the AID. For an engagement, the inception event is created when the brief is received, anchoring the start of the relationship to the ledger.

dip

Delegated Inception

When a conductor activates an agent, they issue a delegated inception event — creating a new AID for the agent whose authority is cryptographically bound to and derived from the conductor's AID.

ixn

Interaction Event

Any significant action — producing a deliverable, approving a recommendation, completing an analysis — generates an interaction event anchored to the KEL. Every action is evidenced.

rot

Rotation Event

Key rotation without identity change. When a conductor rotates their signing keys (for security), the KEL records the rotation event — maintaining identity continuity across the engagement lifecycle.

ACDC

Authentic Chained Data Container

A verifiable credential anchored in KERI — used to issue scoped, time-limited authorities to agents and to attest the authenticity of deliverables. Every ACDC chains to its issuer's AID and KEL.

vLEI

Verifiable Legal Entity Identifier

A GLEIF-issued ACDC credential for organisations — used to cryptographically attest the legal identity of selfdriven Foundation entities and anchor institutional accountability.

Architecture

Three-layer trust architecture

The stack operates in three layers — each building on the previous. Together they make claims at every level of an engagement cryptographically provable.

LAYER 01

Key Events

KERI provides the root of trust via the Key Event Log — an append-only record of inception, rotation, delegation, and interaction events. This is the bedrock: everything above it builds on this verifiable foundation.

icprotixndipdrt

LAYER 02

Credentials

ACDC credentials attest domain-specific claims — "this agent is authorised to conduct market research on behalf of conductor X", "this deliverable was approved by conductor Y on date Z". Each credential is anchored to a KEL and chains to its issuer.

ACDC SchemaissuancerevocationvLEI

LAYER 03

Operations

Every domain action in an engagement — research completion, draft approval, deliverable sign-off, invoice issuance — references the credential layer. The full chain from action to authority to identity is traceable, without trusting any intermediary.

deliverable anchoragent action logapproval chain

Technical Specifications

What runs under the hood

For technical teams who want to understand the stack in detail before integration.

Component	Standard / Implementation	Purpose in Engagements
KERI	Key Event Receipt Infrastructure (IETF draft)	Root identity and key management for all conductors and agents
ACDC	Authentic Chained Data Containers (ToIP standard)	Scoped, verifiable authority credentials for agent delegation
vLEI	GLEIF Verifiable Legal Entity Identifier	Organisational identity for selfdriven Foundation entities
FIDO2 / WebAuthn	W3C WebAuthn Level 2	Passkey-based authentication linked to conductor KERI AIDs
Witness Network	3-of-3 distributed witnesses (ap-southeast-2)	KEL receipt and availability for all engagement identifiers
Encryption	AES-256-CBC, PBKDF2-SHA256	At-rest encryption for all sensitive engagement data
Infrastructure	AWS Lambda, Aurora Serverless V2, EntityOS	Engagement management, API layer, and KERI event processing
Anchoring	Cardano blockchain (optional)	Cross-chain KEL anchoring for engagements requiring blockchain provenance

For your engagement

What KERI means for your organisation

Verifiable accountability

You can verify, independently and without asking selfdriven, that the conductor assigned to your engagement is who they say they are and holds the authority they claim.

Tamper-evident deliverables

Every deliverable is anchored to the KEL via an interaction event. Any post-delivery modification is detectable. What you received is what was approved.

Regulatory-grade audit trail

The KEL-anchored audit trail meets the evidentiary standards required by ASIC, APRA, and international regulators. Not a log file — a cryptographic chain of evidence.

Portable engagement record

Your engagement KEL is yours. You can export it, present it to auditors, or use it as the foundation for your own KERI identity infrastructure.

The KERI/ACDCIdentity Stack